10.4
0-day
50 个模型检测该样本为恶意!
重新分析
更多

d5e8cf0f58e3a69cc637230d5b2a369130cdb2733395703b408a367ef265763f

983e251cf15cef6ab3a382de40afcc11.exe

分析耗时

84s

最近分析

文件大小

667.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=88 ATTRIBUTE AZAYW BUFIP7 CONFIDENCE CRYSISTC ELDORADO FAMVT FAREIT FORMBOOK GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HSSK HTFJIJ IGENT KRYPTIK MALWARE@#26Y041XNRNA0P PACKEDNET PM0@AINIVBD PWSX QGPR SCORE SUSPICIOUS PE TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXH!983E251CF15C 20201023 6.0.6.653
Alibaba Trojan:MSIL/AgentTesla.9bc0a290 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201023 18.4.3895.0
Tencent Msil.Trojan.Crypt.Hssk 20201023 1.0.0.1
Kingsoft 20201023 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619808180.766001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 113 个事件)
Time & API Arguments Status Return Repeated
1619781071.91985
IsDebuggerPresent
failed 0 0
1619781071.91985
IsDebuggerPresent
failed 0 0
1619781073.24785
IsDebuggerPresent
failed 0 0
1619781073.71685
IsDebuggerPresent
failed 0 0
1619781074.24785
IsDebuggerPresent
failed 0 0
1619781074.71685
IsDebuggerPresent
failed 0 0
1619781075.24785
IsDebuggerPresent
failed 0 0
1619781075.71685
IsDebuggerPresent
failed 0 0
1619781076.24785
IsDebuggerPresent
failed 0 0
1619781076.71685
IsDebuggerPresent
failed 0 0
1619781077.24785
IsDebuggerPresent
failed 0 0
1619781077.71685
IsDebuggerPresent
failed 0 0
1619781078.24785
IsDebuggerPresent
failed 0 0
1619781078.71685
IsDebuggerPresent
failed 0 0
1619781079.24785
IsDebuggerPresent
failed 0 0
1619781079.71685
IsDebuggerPresent
failed 0 0
1619781080.24785
IsDebuggerPresent
failed 0 0
1619781080.71685
IsDebuggerPresent
failed 0 0
1619781081.24785
IsDebuggerPresent
failed 0 0
1619781081.71685
IsDebuggerPresent
failed 0 0
1619781082.24785
IsDebuggerPresent
failed 0 0
1619781082.71685
IsDebuggerPresent
failed 0 0
1619781083.24785
IsDebuggerPresent
failed 0 0
1619781083.71685
IsDebuggerPresent
failed 0 0
1619781084.24785
IsDebuggerPresent
failed 0 0
1619781084.71685
IsDebuggerPresent
failed 0 0
1619781085.24785
IsDebuggerPresent
failed 0 0
1619781085.71685
IsDebuggerPresent
failed 0 0
1619781086.24785
IsDebuggerPresent
failed 0 0
1619781086.71685
IsDebuggerPresent
failed 0 0
1619781087.24785
IsDebuggerPresent
failed 0 0
1619781087.71685
IsDebuggerPresent
failed 0 0
1619781088.24785
IsDebuggerPresent
failed 0 0
1619781088.71685
IsDebuggerPresent
failed 0 0
1619781089.24785
IsDebuggerPresent
failed 0 0
1619781089.71685
IsDebuggerPresent
failed 0 0
1619781090.24785
IsDebuggerPresent
failed 0 0
1619781090.71685
IsDebuggerPresent
failed 0 0
1619781091.24785
IsDebuggerPresent
failed 0 0
1619781091.71685
IsDebuggerPresent
failed 0 0
1619781092.24785
IsDebuggerPresent
failed 0 0
1619781092.71685
IsDebuggerPresent
failed 0 0
1619781093.24785
IsDebuggerPresent
failed 0 0
1619781093.71685
IsDebuggerPresent
failed 0 0
1619781094.24785
IsDebuggerPresent
failed 0 0
1619781094.71685
IsDebuggerPresent
failed 0 0
1619781095.24785
IsDebuggerPresent
failed 0 0
1619781095.71685
IsDebuggerPresent
failed 0 0
1619781096.24785
IsDebuggerPresent
failed 0 0
1619781096.71685
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619808181.391001
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\rBCXOoIyi"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619781072.07585
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 个事件)
Time & API Arguments Status Return Repeated
1619781071.02885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1619781071.02885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e0000
success 0 0
1619781071.27885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x023f0000
success 0 0
1619781071.27885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02550000
success 0 0
1619781071.37285
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619781071.91985
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1619781071.91985
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1619781071.91985
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1619781071.91985
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619781071.91985
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00342000
success 0 0
1619781072.10685
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00352000
success 0 0
1619781072.31085
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00375000
success 0 0
1619781072.31085
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0037b000
success 0 0
1619781072.31085
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00377000
success 0 0
1619781072.48185
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00353000
success 0 0
1619781072.54485
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0035c000
success 0 0
1619781072.66985
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a0000
success 0 0
1619781072.82585
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00354000
success 0 0
1619781073.35685
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00355000
success 0 0
1619781073.38885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00357000
success 0 0
1619781073.45085
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0036a000
success 0 0
1619781073.45085
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00367000
success 0 0
1619781073.52885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00366000
success 0 0
1619781073.59185
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a1000
success 0 0
1619781073.79485
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a4000
success 0 0
1619781073.82585
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00358000
success 0 0
1619781114.82585
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619781114.84185
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02551000
success 0 0
1619781114.88885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a6000
success 0 0
1619781114.98185
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034c000
success 0 0
1619781114.99785
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619781115.02885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00359000
success 0 0
1619781115.02885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a8000
success 0 0
1619781115.02885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a9000
success 0 0
1619781115.09185
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 243712
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a80400
failed 3221225550 0
1619781119.45085
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619781119.46685
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045d0000
success 0 0
1619781119.46685
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ab000
success 0 0
1619781119.51385
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ac000
success 0 0
1619781119.63885
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ad000
success 0 0
1619781119.66985
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ae000
success 0 0
1619781119.96685
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005af000
success 0 0
1619781120.18585
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d60000
success 0 0
1619781120.18585
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d61000
success 0 0
1619781120.20085
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a80178
failed 3221225550 0
1619781120.20085
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a801a0
failed 3221225550 0
1619781120.20085
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a801c8
failed 3221225550 0
1619781120.20085
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a801f0
failed 3221225550 0
1619781120.20085
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a80218
failed 3221225550 0
1619781120.20085
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04abc54e
failed 3221225550 0
A process attempted to delay the analysis task. (1 个事件)
description 983e251cf15cef6ab3a382de40afcc11.exe tried to sleep 149 seconds, actually delayed analysis time by 149 seconds
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\rBCXOoIyi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBCXOoIyi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619781120.99785
ShellExecuteExW
parameters: /Create /TN "Updates\rBCXOoIyi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.558216966706421 section {'size_of_data': '0x0007aa00', 'virtual_address': '0x00002000', 'entropy': 7.558216966706421, 'name': '.text', 'virtual_size': '0x0007a914'} description A section with a high entropy has been found
entropy 0.735933983495874 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619781072.93585
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\rBCXOoIyi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBCXOoIyi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619781123.96685
NtAllocateVirtualMemory
process_identifier: 2944
region_size: 188416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000aaa8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619781123.96685
WriteProcessMemory
process_identifier: 2944
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $s5ê7p[¹7p[¹7p[¹Xð¹qp[¹XŹ4p[¹Xƹ6p[¹Rich7p[¹PELŽ®¦Aà  Æpíà@à@.text4ÅÆ `
process_handle: 0x0000aaa8
base_address: 0x00400000
success 1 0
1619781123.96685
WriteProcessMemory
process_identifier: 2944
buffer: @
process_handle: 0x0000aaa8
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619781123.96685
WriteProcessMemory
process_identifier: 2944
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $s5ê7p[¹7p[¹7p[¹Xð¹qp[¹XŹ4p[¹Xƹ6p[¹Rich7p[¹PELŽ®¦Aà  Æpíà@à@.text4ÅÆ `
process_handle: 0x0000aaa8
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2452 called NtSetContextThread to modify thread in remote process 2944
Time & API Arguments Status Return Repeated
1619781123.96685
NtSetContextThread
thread_handle: 0x000096b0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4320624
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2452 resumed a thread in remote process 2944
Time & API Arguments Status Return Repeated
1619781124.20085
NtResumeThread
thread_handle: 0x000096b0
suspend_count: 1
process_identifier: 2944
success 0 0
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619781071.91985
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2452
success 0 0
1619781071.91985
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2452
success 0 0
1619781072.09185
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 2452
success 0 0
1619781073.15385
NtResumeThread
thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2452
success 0 0
1619781073.20085
NtResumeThread
thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2452
success 0 0
1619781120.21685
NtResumeThread
thread_handle: 0x00004860
suspend_count: 1
process_identifier: 2452
success 0 0
1619781120.21685
NtResumeThread
thread_handle: 0x0000e234
suspend_count: 1
process_identifier: 2452
success 0 0
1619781120.99785
CreateProcessInternalW
thread_identifier: 3036
thread_handle: 0x0000f6ec
process_identifier: 1124
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBCXOoIyi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1534.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000f2f0
inherit_handles: 0
success 1 0
1619781123.96685
CreateProcessInternalW
thread_identifier: 2188
thread_handle: 0x000096b0
process_identifier: 2944
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000aaa8
inherit_handles: 0
success 1 0
1619781123.96685
NtGetContextThread
thread_handle: 0x000096b0
success 0 0
1619781123.96685
NtAllocateVirtualMemory
process_identifier: 2944
region_size: 188416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000aaa8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619781123.96685
WriteProcessMemory
process_identifier: 2944
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $s5ê7p[¹7p[¹7p[¹Xð¹qp[¹XŹ4p[¹Xƹ6p[¹Rich7p[¹PELŽ®¦Aà  Æpíà@à@.text4ÅÆ `
process_handle: 0x0000aaa8
base_address: 0x00400000
success 1 0
1619781123.96685
WriteProcessMemory
process_identifier: 2944
buffer:
process_handle: 0x0000aaa8
base_address: 0x00401000
success 1 0
1619781123.96685
WriteProcessMemory
process_identifier: 2944
buffer: @
process_handle: 0x0000aaa8
base_address: 0x7efde008
success 1 0
1619781123.96685
NtSetContextThread
thread_handle: 0x000096b0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4320624
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
1619781124.20085
NtResumeThread
thread_handle: 0x000096b0
suspend_count: 1
process_identifier: 2944
success 0 0
1619781124.20085
NtResumeThread
thread_handle: 0x00010dc8
suspend_count: 1
process_identifier: 2452
success 0 0
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
Bkav W32.FamVT.CrysisTC.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43633114
FireEye Generic.mg.983e251cf15cef6a
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FXH!983E251CF15C
Cylance Unsafe
K7AntiVirus Trojan ( 0056c38b1 )
Alibaba Trojan:MSIL/AgentTesla.9bc0a290
K7GW Trojan ( 0056c38b1 )
Cybereason malicious.e9b145
Arcabit Trojan.Generic.D299C9DA
Cyren W32/MSIL_Kryptik.BJR.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.43633114
NANO-Antivirus Trojan.Win32.Crypt.htfjij
Paloalto generic.ml
Tencent Msil.Trojan.Crypt.Hssk
Ad-Aware Trojan.GenericKD.43633114
Comodo Malware@#26y041xnrna0p
DrWeb Trojan.PackedNET.406
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Generic.jh
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.MSIL.qgpr
Webroot W32.Trojan.Gen
Avira TR/Kryptik.azayw
eGambit Unsafe.AI_Score_99%
Microsoft Trojan:MSIL/AgentTesla.VN!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Trojan.GenericKD.43633114
AhnLab-V3 Trojan/Win32.Formbook.C4178385
BitDefenderTheta Gen:NN.ZemsilF.34570.Pm0@aiNIVBd
ALYac Trojan.GenericKD.43633114
MAX malware (ai score=88)
VBA32 TScope.Trojan.MSIL
ESET-NOD32 a variant of MSIL/Kryptik.XHJ
Yandex Trojan.Igent.bUfip7.22
Ikarus Trojan.MSIL.Inject
Fortinet MSIL/Kryptik.XTP!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Trojan.21a
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-10 09:33:03

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.